Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Configure GlobalProtect for Customer Registry Check on W... - Knowledge Base - Palo Alto Networks

How to Configure GlobalProtect for Customer Registry Check on Windows

16791
Created On 12/22/21 20:43 PM - Last Modified 12/22/21 21:41 PM


Environment


  •  Palo Alto Networks firewall on PAN-OS 10.0+
  •  Existing GlobalProtect infrastructure
  •  Proper licensing 


Resolution


  • Configure GlobalProtect to check for the Windows registry key
  1.  Launch Regedit on the Windows endpoint and retrieve the registry value which you'll be using 
Note: In our example we will be using HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER GraphFile \\psistest.grf

Snapshot displaying the Windows Regedit dialog box
 
  1. Within PAN-OS, navigate to Network > GlobalProtect > Portals > "Select Portal" > Agent > "Select Config"
Snapshot displaying the GlobalProtect Portal Configuration dialog box
 
  1.  After selecting the appropriate configuration, navigate to HIP Data Collection > Custom Checks > Windows and select "Add" under "REGISTRY KEY"
Snapshot displaying the GlobalProtect Portal HIP custom check dialog box within PAN-OS
 
 
  1.  Enter the registry key chosen earlier in the "Registry Key" field and the associated value in the "Registry Value" field and then select OK
Note: In our example, we're using the values selected in step 1
 
Snapshot displaying the GlobalProtect Portal HIP custom check dialog box within PAN-OS
 
  1.  Next, configure the HIP object that will be used to match against the endpoints by navigating to Objects > GlobalProtect > HIP Objects > select Add and then specify a name for the Object
Snapshot displaying the HIP Object Dialog Box within PAN-OS
 
  1.  Then select the "Custom Checks" tab, select the Checkbox to enable custom checks, choose the Registry Key tab, and click Add
Snapshot displaying the HIP Object Dialog Box within PAN-OS
 
  1.  Specify the chosen registry key from step 1 in the Registry Key field, select Add, specify the key value and data in the appropriate fields as shown below, and then select OK
Snapshot displaying the HIP Object Dialog Box within PAN-OS
 
 
  1.  Now configure the HIP profile by navigating to Objects > GlobalProtect > HIP Profiles select Add and provide a name
  2.  Then select "Add Match Criteria", choose the Object created in step 5, and then select OK
Snapshot displaying the HIP Profiles Dialog Box within PAN-OS
 
  1.  Commit your changes
 
  • Verify the Endpoint matches the configured HIP profile
  1.  Upon a successful connection to GlobalProtect Portal and Gateway, we should see a match to our profile by navigating to Monitor > Logs > HIP Match and filtering by the appropriate user
Snapshot displaying the HIP Match logs within PAN-OS
 
  1.   You can also view this output via the cli by issue the following command: debug user-id dump hip-report computer <computer-name> user <username> ip <user-IP>
admin@PA-VM> debug user-id dump hip-report computer DESKTOP-PMINSSO user testuser ip 192.168.100.2



<?xml version="1.0" encoding="UTF-8"?>

<hip-report>

        <md5-sum>ecdf6c7058d9ec8b60c783c0a59d2bb1</md5-sum>

        <user-name>testuser</user-name>

        <domain>(empty_domain)</domain>

        <host-name>DESKTOP-PMINSSO</host-name>

        <host-id>30b6dc89-07d5-4bda-b946-9b28ad9eaefc</host-id>

        <ip-address>192.168.100.2</ip-address>

        <ipv6-address></ipv6-address>

        <generate-time>12/22/2021 12:14:23</generate-time>

        <hip-report-version>4</hip-report-version>

        <categories>

                <entry name="host-info">



<<<<<< OMITTED FOR BREVITY >>>>>>



         </categories>

        <custom-checks>

                <registry-key>

                        <entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER">

                                <exist>yes</exist>

                                <value></value>

                                <registry-value>

                                        <entry name="GraphFile">

                                                <exist>yes</exist>

                                                <value>\\psistest.grf</value>

                                        </entry>

                                </registry-value>

                        </entry>

                </registry-key>

        </custom-checks>

</hip-report>
 
  •  Use the HIP profile in the Security Policy
  1.   After you've confirmed the endpoint successfully matches the object, you can add this to your preferred Security policy rule by navigating to Policies > Security > "Select security policy" > Source > Source Device > Select Add and then choose the HIP profile configured in step 8
Snapshot displaying the HIP profile being added to a security policy within PAN-OS
 


Additional Information




Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MdYCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail